Florida
What Is the FDBR? Florida Digital Bill of Rights
The Florida Digital Bill of Rights (FDBR), codified at Fla. Stat. 501.701 et seq., is Florida's comprehensive consumer data privacy law. It was enacted as Senate Bill 262 (2023), signed by Governor Ron DeSantis on June 6, 2023, and took effect July 1, 2024, giving Florida residents rights to access, correct, delete, and port their personal data and to opt out of sale, targeted advertising, profiling, and certain data collection.
As of 2026, the FDBR is the narrowest comprehensive state privacy law in the country at its core: the central "controller" obligations reach only for-profit businesses that make more than $1 billion in global gross annual revenues and fit one of three big-technology profiles. A separate set of broader provisions in the same package reaches far more businesses, and the Florida Department of Legal Affairs enforces all of it with civil penalties of up to $50,000 per violation, triplable in defined cases.
Jurisdiction scope: This covers Florida's Florida Digital Bill of Rights (Fla. Stat. 501.701 et seq.). It is general legal information, not legal advice.
What the FDBR is: statute, enactment, and effective date
The Florida Digital Bill of Rights is Florida's first comprehensive consumer data privacy law. It is codified at Florida Statutes Sections 501.701 through 501.722, within Part V of the state's consumer protection chapter. The short title in 501.701 expressly states that the part "may be cited as the Florida Digital Bill of Rights."
The Florida Legislature passed it as Senate Bill 262 during the 2023 session. Governor Ron DeSantis signed the bill into law on June 6, 2023, and the act took effect July 1, 2024. As of 2026, that effective date has passed, so every covered business is now fully subject to the law and the Department of Legal Affairs is actively enforcing it.
SB 262 was framed politically around protecting consumers and especially children from large technology platforms. That framing is visible in the statute's structure: the headline obligations are aimed squarely at the largest companies, while a separate cluster of provisions reaches a much broader set of businesses. For the parent overview of Florida privacy obligations, see the Florida data privacy laws hub.
The $1 billion controller threshold: why the FDBR targets Big Tech
The FDBR's defining feature is the definition of "controller" in 501.702(9), which is the narrowest in the country. A business is a covered controller only if it is organized for profit, conducts business in Florida or produces products or services used by Florida residents, collects personal data, makes in excess of $1 billion in global gross annual revenues, and satisfies at least one of three additional prongs.
The first prong, in 501.702(9)(a)6.a., is deriving 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online. This prong captures the largest ad-driven platforms.
The second prong, in 501.702(9)(a)6.b., is operating a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. The statute carves out a motor vehicle or a speaker or device associated with or connected to a vehicle operated by a motor vehicle manufacturer or its subsidiary or affiliate. This prong is aimed at major voice-assistant makers.
The third prong, in 501.702(9)(a)6.c., is operating an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. This prong reaches the dominant mobile app marketplaces.
The practical effect is that the FDBR's core controller obligations apply to only a handful of the very largest technology companies. A business that makes less than $1 billion globally, or that exceeds $1 billion but fits none of the three prongs, is not a "controller" and is outside the central duties of the law.
The broader provisions that reach far more businesses
It would be a serious mistake to read the FDBR as a Big-Tech-only statute and stop there. SB 262 created several provisions that apply well beyond the $1 billion controller, and Florida businesses of ordinary size must heed them.
First, the sale-of-sensitive-data consent rule in 501.715 prohibits a person meeting the controller definition's structural prongs in 501.702(9)(a)1.-3. from engaging in the sale of personal data that is sensitive data without prior consent from the consumer, or, for a known child, without the required authorization or compliance with the Children's Online Privacy Protection Act. Sensitive data is defined to include biometric data, so this functions as a sale-of-sensitive-biometric-data consent rule.
Second, the children's online protections in 501.1735 reach online platforms that provide an online service, product, game, or feature likely to be predominantly accessed by children, regardless of the $1 billion threshold. That section restricts processing a known child's personal data in ways that cause harm, prohibits certain dark patterns, and limits collecting a known child's precise geolocation without consent.
Third, SB 262 amended the breach-notification statute 501.171 to add biometric data (as defined in 501.702) and geolocation information to the definition of covered personal information, broadening data-breach duties for businesses generally. The bill also added 112.23, which restricts governmental entities from coordinating with social media platforms to remove or moderate content. Together these provisions mean the FDBR package touches many businesses that are not "controllers."
Consumer rights and the voice and facial recognition opt-out
Against a covered controller, Florida consumers hold the now-familiar suite of state privacy rights under 501.705: to confirm processing and access their personal data, to correct inaccuracies, to delete data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
The FDBR adds two opt-out rights that set it apart. Under 501.705(1)(f), a consumer may opt out of the collection of sensitive data, including precise geolocation data. Under 501.705(1)(g), a consumer may opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
Those two collection opt-outs are distinctive. Most state privacy laws let consumers opt out of selling or using sensitive data, but Florida lets a consumer opt out of its collection in the first place, and singles out voice and facial recognition features by name. The FDBR consumer rights guide walks through every right, the response window, and the appeal process in detail.
FDBR vs. CCPA: the key differences
Florida's FDBR and California's CCPA are frequently compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the FDBR and California's CCPA stand out.
| Feature | Florida FDBR | California CCPA/CPRA |
|---|---|---|
| Core coverage threshold | For-profit, over $1B global revenue AND one of three big-tech prongs (501.702(9)) | $25M revenue, OR 100,000 consumers, OR 50% revenue from data sales |
| Reach of core duties | Narrowest in the country; a handful of large platforms | Broad; many mid-size and large businesses |
| Distinctive opt-out | Opt out of voice or facial recognition collection (501.705(1)(g)) | Right to limit use of sensitive personal information |
| Sensitive data | Opt-in consent to process (501.71(2)(d)); opt-out of collection (501.705(1)(f)) | Opt-out right to limit |
| Private right of action | None (501.72(8)) | Limited, for certain data breaches |
| Enforcer | Department of Legal Affairs only (501.72) | California Privacy Protection Agency and Attorney General |
The most consequential difference is coverage. California's thresholds are disjunctive and reach a broad swath of businesses, while Florida's core controller test is conjunctive and aimed at only the largest technology firms. The second major difference is Florida's voice and facial recognition collection opt-out, which California does not match in the same form. The takeaway for a multistate business is that being outside the FDBR's controller definition does not necessarily mean being outside the CCPA, and the FDBR's broader provisions can still apply.
Related guides
- Florida data privacy laws parent hub
- FDBR consumer rights
- FDBR compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Fla. Stat. 501.701 to 501.722: Florida Digital Bill of Rights (2024 Florida Statutes, Chapter 501, Part V)(flsenate.gov).gov
- Fla. Stat. 501.701: Short title (Florida Digital Bill of Rights)(flsenate.gov).gov
- Fla. Stat. 501.702: Definitions, including the Controller definition and $1 billion threshold(flsenate.gov).gov
- Fla. Stat. 501.703: Applicability(flsenate.gov).gov
- Fla. Stat. 501.705: Consumer rights, including voice and facial recognition opt-out(flsenate.gov).gov
- Fla. Stat. 501.715: Requirements for sensitive data (sale-of-sensitive-data consent)(flsenate.gov).gov
- Fla. Stat. 501.72: Enforcement and implementation by the Department of Legal Affairs(flsenate.gov).gov
- Florida Senate Bill 262 (2023): Enrolled Bill Text(flsenate.gov).gov
- Florida Department of Legal Affairs: Florida Digital Bill of Rights Annual Enforcement Report(myfloridalegal.com).gov